Control: 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Description
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.
As default, incoming client certificates is set to Ignore.
Remediation
From Console
- Login to Azure Portal and go to
App Services. - Click on each App.
- Under
Settingssection, click onConfiguration. - Go to
General settingstab. - Set the option
Client certificate modelocated underIncoming client certificatesis set toRequire.
From Command Line
To set Incoming client certificates value for an existing app:
az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> -- set clientCertEnabled=true
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_9_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_9_4 --shareSQL
This control uses a named query:
select app.id as resource, case when not client_cert_enabled then 'alarm' else 'ok' end as status, case when not client_cert_enabled then name || ' incoming client certificates set to off.' else name || ' incoming client certificates set to on.' end as reason , app.resource_group as resource_group , sub.display_name as subscriptionfrom azure_app_service_web_app as app left join azure_subscription sub on app.subscription_id = sub.subscription_id;